March 2026
When a file is deleted, most users assume it disappears forever. In reality, the operating system usually removes only the reference to the file, while the underlying data may remain on the disk until it is overwritten.
This leftover information is what digital forensic investigators call artifacts. Artifacts can reveal previous activity on a computer system, including deleted files, fragments of documents, browsing activity, and more.
A digital artifact is any piece of data left behind by normal system activity. These remnants can be analyzed to reconstruct past events on a system.
Examples include:
Hard drives store files in fixed-size units called clusters. If a file does not completely fill the final cluster allocated to it, the remaining unused bytes are known as slack space.
This unused space may contain residual data from previously deleted files, making it particularly interesting during forensic analysis.
Cluster Size: 4096 bytes File size: 3000 bytes Remaining 1096 bytes = Slack Space
Investigators can sometimes recover fragments of previously stored information from this space.
Slack space is only one example of hidden data. Investigators also examine:
Digital forensics plays an important role in cybersecurity investigations, incident response, and legal proceedings. By examining disk artifacts, analysts can reconstruct timelines and recover information that users believed had been permanently removed.
The following video provides an excellent introduction to forensic disk analysis:
Understanding where data hides on a system is a key skill for both security professionals and developers interested in low-level system behavior.